Managing HTTP & Cleartext Traffic on Android with Network Security Configuration

James Montemagno

Did you know that starting with Android 9 (API level 28) cleartext(non-HTTPS) support is disabled by default? It is always recommended to make connections over HTTPS to ensure that any web communication is secure. This policy may have an impact on your development cycle if your app needs to download an image or file on a server hasn’t been configured for HTTPS. Also, you may just be trying to debug your application locally and don’t want to install development certs. You may have strong business requirements that all web traffic on all versions of Android is always HTTPS. This is where the new Network Security Configuration feature of Android comes in, to help us finely tune network traffic security in our app.

When does Cleartext apply?

Cleartext is disabled by default on Android 9 (Pie, API 28) devices when your application is set to target and compile against Android 9. On the project’s properties you will find the SDK you are compiling against under Application:

Inside of your Android Manifest options you will find the Target Framework that can be set to Android 9:

Network Security Config

To configure security options, you will create a new xml file under Resources/xml named network_security_config.xml.

The following configuration will enable cleartext web traffic to be allowed in our app for specific domains and IP addresses:

<?xml version="1.0" encoding="utf-8"?>
  <domain-config cleartextTrafficPermitted="true">
    <domain includeSubdomains="true"></domain> <!-- Debug port -->
    <domain includeSubdomains="true"></domain>

You can strengthen the security of your app by also restricting cleartext traffic on all versions of Android regardless of the compile and target framework. This is accomplished by setting cleartextTrafficPermitted to false. Enabling this will restrict any traffic that is non-HTTPS at all times.

Configure Application Manifest

The last thing that needs to be done is to configure the networkSecurityConfig property on the application node in the Android Manifest:

<?xml version="1.0" encoding="utf-8"?>
    <application android:networkSecurityConfig="@xml/network_security_config">

That’s it! Now the application is completely configured to allow or restrict cleartext during web requests.

Learn More

Network security configuration can do a lot more than just allow or restrict cleartext traffic in Android applications. It can configure trust anchors, debug-only overrides, certificate pinning, and more. Be sure to read through the Android developers documentation for a full guide. To enable cleartext traffic in iOS applications, you will want to take a look at our App Transport Security(ATS) documentation for a full walkthrough.


Discussion is closed. Login to edit/delete existing comments.

  • Standa Mikeš 0

    The hyperlink to Android developers documentation page is not working (404). 

  • david buckley 0

    Hi, James how do you deal with this when you are on an internal I am not on a domain so what would my value be in this case that goes in the XML file. Lest android is getting tougher on security makes sense.

    • James MontemagnoMicrosoft employee 0

      Yup, you would put the IP address inside of the file.

  • junior pires 0

    Hi, james I can’t find the androidManifest.xml file, where i can find it??

    • Arian Ovares Fernandez 0

      You can see it in the Android project, inside to “Properties”.

  • Arian Ovares Fernandez 0

    Very usefull. Thanks

  • yoo boo 0

    Hi, Nice tutorial. Did anything change meanwhile? I am trying to connect to a but I still get the cleartext error. I am sure I achieved this before but can’t remember if I followed here or somewhere else. I would really appreciate your help.

  • Kristofer Andersson 0

    Does this require any specific version of the Xamarin tools to work?

    I added a network_security_config file, and added it to the manifest. However, after that change the call to LoadApplication (Xamarin.Forms.Platform.Android.FormsAppCompatActivity.LoadApplication) on app startup throws a null reference exception:

    [0:] System.NullReferenceException: Object reference not set to an instance of an object.
    at Xamarin.Forms.Platform.Android.FormsAppCompatActivity.InternalSetPage (Xamarin.Forms.Page page) [0x0005e] in D:\agent_work\1\s\Xamarin.Forms.Platform.Android\AppCompat\FormsAppCompatActivity.cs:315
    at Xamarin.Forms.Platform.Android.FormsAppCompatActivity.SetMainPage () [0x00000] in D:\agent_work\1\s\Xamarin.Forms.Platform.Android\AppCompat\FormsAppCompatActivity.cs:343
    at Xamarin.Forms.Platform.Android.FormsAppCompatActivity.LoadApplication (Xamarin.Forms.Application application) [0x0025c] in D:\agent_work\1\s\Xamarin.Forms.Platform.Android\AppCompat\FormsAppCompatActivity.cs:139
    at SomeApp.MainActivity.OnCreate (Android.OS.Bundle savedInstanceState) [0x001db] in D:\work\xxx\MainActivity.cs:173

    • James MontemagnoMicrosoft employee 0

      Hmmm, that looks like something else. You would need to compile against Android 9.0. This wont have any impact on Xamarin.Forms itself as they are completely separate. Perhaps look at some other change that was made to the code.

  • Kostas Kousinovalis 0

    I came to your blog after searching on how to deal with cleartext_not_permitted.
    I have an app which loading pages from local so there is no SSL.
    The IP and the port is not the same everytime and it depends on the user.
    So i tried your solution but what if you don’t know the IP and the port?
    What we have to write to the config file?

      • James MontemagnoMicrosoft employee 0

        Basically: cleartextTrafficPermitted=”true”

        • Michael Miller 0

          Leave WHAT empty exactly? Because if you don’t specify a domain to allow you get this error:

          {Java.Lang.RuntimeException: Failed to parse XML configuration from network_security_config —> Java.Lang.Exception: No domain elements in domain-config at: Binary XML file line #1

          I think in your last post you were straight guessing. As far as I can tell what you have documented does NOT work. No matter what I try I get the clear text error. I’ve spent two days trying everything under the sun. It’s like Google thinks were too stupid to know to use SSL when deploying so they’ve made it impossible to run locally without it. It’s ridiculous.

  • Francesco Cavaliere 0

    hello, why do you keep giving me this error and don’t go on? thanks
    Using Network Security Config from resource network_security_config debugBuild: true
    my code :

    domain-config cleartextTrafficPermitted=”true”
    domain includeSubdomains=”true”> /domain
    domain includeSubdomains=”true”> /domain

Feedback usabilla icon